Bug 26879 - coturn new security issue CVE-2020-4067
Summary: coturn new security issue CVE-2020-4067
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-07-01 20:51 CEST by David Walser
Modified: 2020-07-10 10:02 CEST (History)
6 users (show)

See Also:
Source RPM: coturn-4.5.0.7-2.3.mga7.src.rpm
CVE: CVE-2020-4067
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-07-01 20:51:16 CEST 
Debian has issued an advisory on June 29:
https://www.debian.org/security/2020/dsa-4711

The issue is fixed upstream in 4.5.1.3.

Mageia 7 is also affected.
David Walser 2020-07-01 20:52:16 CEST

Status comment: (none) => Fixed upstream in 4.5.1.3
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-01 21:40:24 CEST 
This SRPM has been maintained by various packagers, so assigning this globally.
CC'ing the last registered maintainer mitya/Dimitri in case he wants to come back on board.

CC: (none) => mitya
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-07-07 10:37:24 CEST 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

In coturn before version 4.5.1.3, there is an issue whereby STUN/TURN response buffer is not initialized properly. There is a leak of information between different client connections. One client (an attacker) could use their connection to intelligently query coturn to get interesting bytes in the padding bytes from the connection of another client. (CVE-2020-4067)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4067
https://www.debian.org/security/2020/dsa-4711
========================

Updated package in core/updates_testing:
========================
coturn-4.5.0.7-2.4.mga7

from SRPM:
coturn-4.5.0.7-2.4.mga7.src.rpm

Status comment: Fixed upstream in 4.5.1.3 => (none)
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-4067
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: coturn-4.5.1.2-1.mga8.src.rpm => coturn-4.5.0.7-2.3.mga7.src.rpm

Comment 3 Herman Viaene 2020-07-08 14:29:51 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 26413 for testing
# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)

Jul 08 14:17:20 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/turnserver.service:10: PIDFile= references path below>

# systemctl start turnserver

# systemctl -l status turnserver
● turnserver.service - coturn
   Loaded: loaded (/usr/lib/systemd/system/turnserver.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-07-08 14:17:47 CEST; 3s ago
     Docs: man:coturn(1)
           man:turnadmin(1)
           man:turnserver(1)
  Process: 29861 ExecStart=/usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf $EXTRA_OPTIONS (code=exited, status=0/SU>
 Main PID: 29862 (turnserver)
    Tasks: 9 (limit: 4915)
   Memory: 5.2M
   CGroup: /system.slice/turnserver.service
           └─29862 /usr/bin/turnserver -o -c /etc/turnserver/turnserver.conf

Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=1 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (general relay thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=3 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (general relay thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: turn server id=2 created
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: Total General servers: 4
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (auth thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (auth thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: IO method (admin thread): epoll (with changelist)
Jul 08 14:17:47 mach5.hviaene.thuis turnserver[29862]: 1: SQLite DB connection success: /var/db/turndb

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2020-07-08 14:37:26 CEST 
No other machine available so testing locally:
$ netstat -nl | grep 3478
tcp        0      0 192.168.2.5:3478        0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3478          0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:3478                :::*                    LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                ::1:3478                                        LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                192.168.2.5:3478                                LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
sctp                127.0.0.1:3478                                  LISTEN     
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 192.168.2.5:3478        0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp        0      0 127.0.0.1:3478          0.0.0.0:*                          
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
udp6       0      0 ::1:3478                :::*                               
[tester7@mach5 ~]$ telnet 192.168.2.5 3478
Trying 192.168.2.5...
Connected to mach5.hviaene.thuis (192.168.2.5).
Escape character is '^]'.

Looks OK to me

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-07-08 21:02:24 CEST 
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-07-09 17:37:56 CEST

Keywords: (none) => advisory
CC: (none) => mageia

Comment 6 Mageia Robot 2020-07-10 10:02:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0287.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.